REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- US Justice Dept. focuses new squad on cybercrime combat - The
threat and consequences of cybersecurity attacks today lead the US
Department of Justice to reorganize in an effort to better battle
APPLE support doc CONFIRMS 'ORGANIZED NETWORK ATTACKS' - China govt:
It wasn't us, honest - Apple is warning its iCloud users over
heightened spying risks following the discovery of attacks which
security watchers have claimed are down to crude snooping by the
Feds urge early cooperation in malware investigations - The
financial services industry has garnered a reputation among
cybersecurity professionals for being among the more resilient
sectors in the face of cyberattacks.
FCC fines telecom companies $10 million - The Federal Communications
Commission (FCC) fined two jointly owned American telecom companies,
TerraCom, Inc. and YourTel America, Inc., $10 million this past week
after they failed to properly protect users' personal information.
Banks Demand That Law Firms Harden Cyberattack Defenses - Background
Checks, System Audits Are Used to Close Potential Back-Door Breaches
- Big banks are demanding that their law firms do more to protect
sensitive information to ensure that they don’t become back doors
- Operators disable firewall features to increase network
performance, survey finds - In a recent survey of 504 IT
professionals, McAfee found that 60 percent prioritize security as
the primary driver of network design – something the company did not
find too surprising considering recent high-profile breaches.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Malware on Breyer Horses website for about 18 months, payment card
data at risk - An undisclosed number of people who made purchases on
the Breyer Horses website between March 31, 2013 and Oct. 6 are
being notified that their personal information – including payment
card data – may have been compromised by malware that was installed
on the computer server hosting the website.
Fidelity National Financial employees targeted in phishing attack -
Fidelity National Financial is notifying an undisclosed number of
individuals that their personal information – including Social
Security numbers, bank account numbers and payment card numbers –
may have been accessible after a small number of employees had their
email accounts compromised in a targeted phishing attack.
Unencrypted discs missing, Arizona State Retirement System notifies
44,000 - The Arizona State Retirement System (ASRS) is notifying
nearly 44,000 individuals enrolled in ASRS dental plans that two
unencrypted discs containing their personal information – including
Social Security numbers – were sent to a benefits company in
Missouri, but were not received.
California data breach report reveals spike in incidents - A new
report by California Attorney General Kamala Harris analyzes the
damage that data breaches have taken on the state's residents and
indicates an uptick in incidents.
Arkansas State University-Beebe is investigating a potential breach
- Arkansas State University-Beebe (ASU-Beebe) is notifying students
and employees of a service running on one of its servers – which
contained personal information – that could pose a potential breach
to the system.
- Hackers grab email addresses of CurrentC pilot participants - Just
as the merchants supporting CurrentC had began to take clear steps
to shut out recently unveiled rival Apple Pay, hackers stole email
addresses from the mobile payment app, leaving some to speculate
that consumer confidence will drop and Apple could gain an
- About 60K transactions possibly affected in Cape May-Lewes Ferry
breach - The security of card processing systems relating to food,
beverage and retail sales at the Cape May-Lewes Ferry was
compromised and data from certain credit and debit cards used from
Sept. 20, 2013 to Aug. 7 may be at risk.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 7: Banks should take appropriate measures to preserve
the confidentiality of key e-banking information. Measures taken to
preserve confidentiality should be commensurate with the sensitivity
of the information being transmitted and/or stored in databases.
Confidentiality is the assurance that key information remains
private to the bank and is not viewed or used by those unauthorized
to do so. Misuse or unauthorized disclosure of data exposes a bank
to both reputation and legal risk. The advent of e-banking presents
additional security challenges for banks because it increases the
exposure that information transmitted over the public network or
stored in databases may be accessible by unauthorized or
inappropriate parties or used in ways the customer providing the
information did not intend. Additionally, increased use of service
providers may expose key bank data to other parties.
To meet these challenges concerning the preservation of
confidentiality of key e-banking information, banks need to ensure
1) All confidential bank data and records are only accessible by
duly authorized and authenticated individuals, agents or systems.
2) All confidential bank data are maintained in a secure manner
and protected from unauthorized viewing or modification during
transmission over public, private or internal networks.
3) The bank's standards and controls for data use and protection
must be met when third parties have access to the data through
4) All access to restricted data is logged and appropriate efforts
are made to ensure that access logs are resistant to tampering.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
LOGGING AND DATA COLLECTION (Part 1 of 2)
Financial institutions should take reasonable steps to ensure that
sufficient data is collected from secure log files to identify and
respond to security incidents and to monitor and enforce policy
compliance. Appropriate logging controls ensure that security
personnel can review and analyze log data to identify unauthorized
access attempts and security violations, provide support for
personnel actions, and aid in reconstructing compromised systems.
An institution's ongoing security risk assessment process should
evaluate the adequacy of the system logging and the type of
information collected. Security policies should address the proper
handling and analysis of log files. Institutions have to make
risk-based decisions on where and when to log activity. The
following data are typically logged to some extent including
! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative
or root access),
! Application access (especially users and objects with write - and
execute privileges), and
! Remote access.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual privacy
notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)).
(At the end of November 2014, we will discontinue this section on
Internet Privacy. You will find the entire regulation PART
332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at